LDAP Programming Example (Using Netscape Directory SDK for Java)

1
OSI Directory Service
2
What is a Directory?

• ??????binding??????????entities
• ???????,?????????,???????????

3
Characteristics and Requirement of a Directory

• Reliability ????????????
• Accessibility ????End-Users???
• Standard Based ???????,??????
• Data Integrity ?????????
• Registrants Right ????
• PKM ????
• Legal ????????????

4
OSI Directory Services-X.500

• X.500???????????
• X.500 Overview(??)
• X.501 Model(??????)
• X.509 Authentication(????)
• X.511 Abstract Service Definition(??????)
• X.518 Procedures for Distributed
  Operation(???????)
• X.519 Protocol Specification(??????)
• X.520 Selected Attribute Types(??????)
• X.521 Selected Object Types(??????)
• X.525 Replication(??)

5
OSI Directory Services-X.500(Cont.)

• X.500???general-purpose??????,??????????????
• 1. ?? Query gtgt Update
• 2. Update???????????????
• 3. ?????????????,???Data????
  ?????????Inconsistency???????? ?????lock?
• ???????,???????????????,????????????????

6
Characteristics and Requirement of X.500

• ?????????level of indirection(??????)
  ???????????????????
• ???user-friendly?view????????????

7
Users access to the Directory
Directory Users
Directory User Agent
Directory
Access Point
??????????????????????? ???????,??Directory
Abstract Service, ???OSI?????-Remote Operations
Service(ROSE) ?Association Control
Service(ACSE)???DAP?
8
Logical view of X.500-view from users

• Directory Information Base
• Entries
• Attributes
• Types
• Values
• Alias Entries A Reference to another Entry
• ??X.500???????DIB??Entities??????,????????,???????
  ?DIB??Directory Information Tree (DIT Tree)

9
Logical view of X.500-view from users(Cont.)
10
Logical view of X.500-view from users(Cont.)

• Directory Schema
• ?????????,????????DIB?????????????????????????
  ????????????????????
• ????,Directory Schema???
• DIT Structure definitions ????Entry?????????DIT
  Tree???Entry???

11
Logical view of X.500-view from users(Cont.)

• Object Class definitions ???????????Class???????
  optional?attributes?
• Attribute Type definitions ??????????-??????????
  Multi-Value?
• Attribute Syntax definitions ??attribute?????ASN
  .1?????,X.520??X.521????????????

12
Logical view of X.500-view from users(Cont.)
13
Access to information-view from users

• ??????DUA?Directory?????request,?X.511????????????
  ?
• ????-Service Qualification
• ????-Directory Interrogation
• ????-Directory Modification

14
Service Qualification

• ??????DUA????Service Control,??
• Prefer Chaining rather than Referrals
• Chaining is prohibited
• Maximum elapsed time in seconds 
• Operation priority
• ???????????,???security Mechanism

15
Service Qualification(Cont.)
16
Service Qualification(Cont.)
The Service Controls
17
Service Qualification(Cont.)
Security Parameters
18
Access to information-view from users

• ??????DUA?Directory?????request,?X.511????????????
  ?
• ????-Service Qualification
• ????-Directory Interrogation
• ????-Directory Modification

19
Directory Interrogation

• ?????????
• Read
• Compare
• List
• Paged Results Service
• Search
• Filter
• Abandon

20
Read Operation

• ??????????
• Read??????
• DN of Entry
• Entry Information Selection
• Selected Attributes??? All User Attributes
• Selected Information???Attributes Types and
  Values
• Selected Extra Attributes?????
• Tell Me My Modify Rights  True ? ??modification
  access rights
• Common Arguments

21
Read Operation(Cont.)

• Read???
• Entry Information Requested
• Modify Rights Requested
• Common Results
• Security Parameters
• Distinguished Name of the Result Originator 
• Alias Dereferenced Flag

22
Compare Operation

• ????????,????Yes or No
• Compare??????
• Purported Name of an Entry
• Purported Attribute Value ????match?????????????
  
• Common Arguments

23
Compare Operation(Cont.)

• Compare???
• DN of Entry
• The Matched Flag The result
• Flag if the information was retrieved ???True
• The subtype used in the comparison
• Common Results

24
List Operation

• ????????DN?Entries
• List??????
• Purported name of entry
• Requesting Paged Results
• Common Arguments

25
List Operation(Cont.)

• List???
• DN of target Entry
• Information about the subordinates
• If this is not the complete set of subordinates ,
  why not ?????????DSA???????
• Common Results

26
Paged Results Services

• ????DUA implementations????handle???output
• ????DSA????screen,??????Paged Results?????New
  Request??Continued Request

27
Search Operation

• ??user???criteria,??user???DIT Tree,?????????
• Search ?????
• purported name of the base object ????????
• portion of DIT to be searched
  ???baseObject?oneLevel?wholeSubtree
• filtering criteria
• Flags if aliases within the scope should be
  dereferenced

28
Search Operation(Cont.)

• Entry Information Selection 
• Requesting Paged Results
• Common Arguments
• Search???
• base object?DN
• requested information that passed the filter
• If this is not the complete set of entries,why
  not
• Common Results

29
Abandon Operation

• ?????????????,???????request,?????????????request,
  ????????????
• Abandon?????? invoke ID
• Abandon???
• ?? ?????
• Abandon???operation????null???
• ???operation???Abandoned error
• ?? ??AbandonFailed

30
Access to information-view from users

• ??????DUA?Directory?????request,?X.511????????????
  ?
• ????-Service Qualification
• ????-Directory Interrogation
• ????-Directory Modification

31
Directory Modification

• ?????????
• Add Entry
• Remove Entry
• Modify Entry
• Modify (R)DN operation

32
AddEntry Operation

• ???DIT Tree????leaf node
• AddEntry??????
• The name of the new entry DN
• The attributes of the new entry??alias
• The DSA in which the entry is to be added
• Common Arguments

33
AddEntry Operation(Cont.)

• Add Entry???
• DSA???Check???????????
• DSA????????Entry???????DIT Tree?subschema
• DSA????????name form?DIT????(DIT structure
  Rule)????
• Add Entry???
• ?????????????????????,???????????

34
RemoveEntry Operation

• ?DIT Tree?????Entry
• ?????????????,????subtree???????????,???????????Re
  moveEntry?????
• ???leaf node?(??DIT Tree???????)

35
RemoveEntry Operation(Cont.)

• RemoveEntry??????
• DN of the Entry to be deleted
• Common Arguments
• RemoveEntry????,???check??????,??user?????????????
  ??????Entry
• RemoveEntry????AddEntry???????

36
ModifyEntry Operation

• ??Directory???Entry???(??????????????Entry
  (R)DN???????????,????????-ModifyDN?????????)
• ModifyEntry??????
• DN of Entry to be modified
• ??Entry?????,?? ??????????????????????????????
• Common Arguments
• ModifyEntry??????????????

37
Modify(R)DN Operation

• ??Directory???node?RDN
• ?93????,?????leaf node?RDN(???ModifyRDN),??93??,??
  ???????non-leaf node?RDN,?????entries????RDN????

38
Modify(R)DN Operation(Cont.)

• ModifyDN??????
• DN of entry to be modified
• new RDN for that entry
• Flag if deleted old RDN ???????
• New superior of the Entry DN Optional ,
  ????????
• Common Arguments
• ModifyDN???????????

39
Naming service of X.500

• ????????????
• ???????????????????Relative Distinguished
  Name(RDN) ???,?????????????parent
  ?????Distinguished Name (DN)??????????????????
• ??root entry???null RDN?DN,?????????????DIT Tree
  Model?????

40
Naming service of X.500 (Cont.)
41
Partitioning of X.500

• ?Partition?????
• ????
• ???parallel processing???
• ??????
• X.500????????hierarchy???????partitioning

42
Partitioning of X.500(Cont.)

• Search in a partitioned DIT tree
• ???????????local,??local??????
• ????local,?????request??????leaf-node,??????reques
  t
• ??????????sub-tree?,??????,???node???????????

43
Functional Model of Directory

• ????????Directory System Agent(DSA)???
• DSA?????
• ??DUA?????request
• ????DSA????request???

44
Functional Model of Directory(Cont.)
45
Organizational Model of Directory

• DIT Tree????,???????????????sub-tree,???Administra
  tive Area
• ????????????DSAs????????DUAs???????Directory
  Management Domain(DMD)
• DMD??????????DSA????
• Administrative Area?root entry???Administrative
  Entry

46
Organizational Model of Directory(Cont.)
47
Operation Model of Directory

• DUA???????DSA????,DSA????????
• request????DSA? ?????
• request???DSA? ???DSA??
• DSA????? (X.518??)
• Multicasting
• DSA????????sub-entry?????DSA?(NSSR)
• ????????????DSA
• ???????(subordinate reference)
• ?????search??list???
• DSA????????????DSA?request,?????

48
Operation Model of Directory(Cont.)

• Chaining
• DSA??????DSA,???DSA????????,???DSA????request??
  ??
• Uni-Chaining ??????DSA
• Multi-Chaining ????DSA
• Parallel Multi-Chaining ??????DSA
• Sequential Multi-Chaining ??????DSA
• Referral
• ?????DSA??DUA?????DSA???,???????????Chaining???
  ?

49
Operation Model of Directory(Cont.)

• Mode determination
• ??DSA????????request,??????????????,??
• Chaining??????service control????,?????chainingReq
  uired ServiceError??????referral
• ??DSA??????????????????Chaining,?????????referral

50
Replication

• X.500???-?? (Master-slave) ????
• X.500 ?????????
• Caching ????????,????????,?X.518?????????cache??
  ?????access control
• Shadowing ????Shadowing agreement(Directory
  Operational Binding Management Protocol)??,???DSA?
  ?mirror??

51
Replication(Cont.)

• Shadowing Agreement ??????
• what data needs to be copied
• what the data is to be used for
• when the updates are to be provided
• how much is to be charged for the service
• what security policies must operate in the
  consumer DSA

52
Replication(Cont.)

• Directory Operational Binding Management Protocol
• DOP??????
• the binding type
• the binding ID
• the Access Point of the initiator
• a set of parameters specific to the role of the
  initiator
• the parameters of the shadowing agreement
• The data that is to be shadowed (unit of
  replication) 
• The mode of update 
• the validity time for the agreement

53
Replication(Cont.)

• The mode of update 
• supplier initiated
• on change
• scheduled
• periodic
• other times
• consumer initiated
• scheduled
• periodic
• other times

54
Replication(Cont.)

• Role Specific Parameters
• Shadow consumers x
• Shadow suppliers
• - ???initiator,??Establish Operational Binding
  request,????Establish Operational Binding
  response
• The Access Point of the master DSA
• Secondary shadows allowed or not bool.

55
Replication(Cont.)

• DOP???
• the binding type
• the binding ID
• the Access Point of the responder
• a set of parameters specific to the role of the
  responder

56
Replication(Cont.)

• X.500????Master-Slave??,????????????inconsistency?
  ??,???????????
• Shadowing information are internally consistency
• Knowledge of other parts DIT tree must be correct

57
Security Issue

• X.501?????????????
• ????
• ??

58
Security Issue Access Ctrl.

• X.501??ANNEX F??????Access Control
• - Access Control Scheme?????
• ????????????????DIT tree??detection,examination?mo
  dification Directory???
• ?????????????????DSA???????????????????

59
Security Issue Access Ctrl.(Cont.)

• X.501??Access Control Model????????Granting /
  Denying?permission
• ??model??????
• Accessible Part of the Directory
• requestor
• rights to operate
• Governing

60
Security Issue Access Ctrl.(Cont.)

• X.501???????permit access,????????
• ??????Information(Protected Item)
• Permission
• Requestor
• ??Operational Attributes???Access Control
  Information Items(ACI Items)

61
Security Issue Access Ctrl.(Cont.)

• ????????????????,???????? (Directory Entry
  Level)????? (Attribute Entry Level) ????? (Value
  Instance Level)

62
Security Issue Authentication

• X.509???Directory Services?????????
• ???????? (Identity Interception)
• ?? (Masquerade)
• ?? (Replay)
• ????? (Data Interception)
• ????? (Manipulation)
• ?? (Repudiation)
• ???? (Denial of Service)
• ????? (mis-routing)
• ????? (traffic analysis)

63
Security Issue Authentication(Cont.)

• X.509???????????
• Simple Authentication ??DN?????????

64
Security Issue Authentication(Cont.)

• Strong Authentication??????Public Key
  Cryptosystems,?????Private Key Encryption????????,
  ???????CA??????Public Key??????
• - ?????????????
• One Way Authentication
• Two Way Authentication
• Three Way Authentication

65
Security Issue Authentication(Cont.)
Msg.
Compare
Hash
Msg.
Msg.
Msg.
Hash
Public Key Decryption
Private Key Encryption
Digital Signature
Msg.
Digital Signature
Split
Signed Signature
Signed Signature
Transfer
66
Protocol

• X.519??????protocol,????????,?
• Directory Access Protocol (DAP) DSA?DUA?????
• Directory System Protocol (DSP) DSA?DSA???????
• Directory Information Shadowing Protocol (DISP)
  ???Shadow Agreement?????
• Directory Operational Binding Management
  Protocol(DOP) ?????,DSA??binding???????

67
Protocol(Cont.)

• Directory Access Protocol(DAP)
• Bind ????OSI?AP??connection oriented?,?????????
  ?
• Parameters
• identification of the protocol (DAP)
• the names and addresses of the communicating
  parties
• security credentials
• Unbind ?bind?????,?????????
• ????????? Goto Page 18
• ????????? Goto Page 30

68
Protocol(Cont.)

• Directory System Protocol(DSP)
• Bind and Unbind
• ???DAP????,??????operation??chaining
  operation(DSP?????chaining)
• ?DAP?????chaining??
• ??????????chaining?????

69
Protocol(Cont.)

• Directory Information Shadowing Protocol (DISP)
• Bind and Unbind
• Coordinate Shadow Update Supplier??Update
  Shadow
• batch of updates it should have received last
  time round
• what sort of update it will receive this time
• update strategy
• no updates ??update,consumer??update TimeStamp
• Incremental ??????,?????update
• total ?????
• Request Shadow Update Consumer??Update Shadow
• ?????????,??no updates?update strategy????
• Update Shadow ??Update Shadow

70
Protocol(Cont.)

• Directory Information Shadowing Protocol (DISP)

71
Protocol(Cont.)

• Directory Operational Binding Management Protocol
• Bind and Unbind
• Establish Operational Binding
• Modify Operational Binding
• Terminate Operational Binding
  ??????,?unbind????active?!!

72
Protocol(Cont.)
73
X.500 AND LDAP

• X.500???
• DAP????,????????????
• ??OSI 7 layer?????,???TCP protocol
• ????????information???,?????????????
• ???????,??????implement?????model,?????

74
X.500 AND LDAP(Cont.)

• ??X.500??????,??????LDAP
• Overview of LDAP
• information model ? naming ? X.500??
• Client-server??,LDAP????referrals(V3????)
• ???X.500????????
• search , add , delete , modify , RDN , bind ,
  unbind and abandon
• X.500????security???LDAP???????
• ????????????????????
• ??????????????????????

75
X.500 AND LDAP(Cont.)

• X.500???
• Chaining ? Replication?X.500???,?????????

76
LDAP Programming Example (Using Netscape
Directory SDK for Java)
77
Binding (Authentication)

• Match a given entry (mostly a personal entry) in
  the server.
• All operations occurring over the connection
  will be performed
• as that particular user.
• Access controls to the data are based on how a
  client is bound to
• the server.
• Anonymous Binding is allowed.

78
Connection and Binding Example 1/2
import netscape.ldap. import java.io. import
java.util. public class LDAPClient
public static void main(String args) String
host airius.com String port 389 String
dn uid jsmith, ou people, o airius.com
String pwd balabala123 LDAPConnection ld
null try ld new
LDAPConnection() // connect to the
server ld.connect(host, port, dn, pwd)
// non-anonymous
79
Connection and Binding Example 2/2
// ld.connect(host, port, , ) //
anonymous // ld.connect(host, port, null,
null) // perform the operations here
// disconnect if (ld !
null) ld.disconnect() catch (Exception
e) e.printStackTrace()

80
Searching Entries

• Searching operation takes 3 parameters
• base A string that represents the search base
• scope An integer (constant) that represents
  the scope
• filter a string that is the search filter
• Examples
• (cn Sam Carter)
• ( (cn Sam Carter) (ou Engineering) )
• ( ( !(cnCarter) ) ( (ou Engineering)
• (ou Accounting) ) )
• Server returns
• DN
• Attributes (name and value).

81
Searching Example (Program Fragment) 1/2
String filter (objectclass ) String
base cn config int scope
LDAPConnection.SCOPE_SUB // perform the
search LDAPSearchResult res ld.search(base,
scope, filter, null, false) // get the
individual results while (res.hasMoreElements())
LDAPEntry findEntry (LDAPEntry)
res.next() System.out.println(DN
findEntry.getDN()) LDAPAttributeSet attributeSet
findEntry.getAttributeSet() for (int i 0
i lt attributeSet.size() i)
Just return names
Return attribute names
82
Searching Example (Program Fragment) 2/2
LDAPAttribute attribute (LDAPAttribute)
attributeSet.elementAt(i) System.out.println(attr
ibute.getName()) Enumeration enumVals
attribute.getStringValues() if (enumVals !
null) while (enumVals.hasMoreElements()) Syste
m.out.println((String) enumVals.nextElement())
// end of for loop
83
Adding Entries

• Object classes must be specified.
• Object classes have 2 kinds of attributes
• required
• optional
• After all required attributes are filled, the
  entry can be added.

84
Modifying Entries

• Replacing an existing value or adding new
  value(s)
• to a attribute.
• User must specify
• DN
• new or changed values.
• Dependent upon current binding.
• User must have permission to do this operation.

85
Removing Entries

• Similar to modifying the entries.
• User must specify
• DN
• User must have permission to do this operation.

86
Example (Program Fragment) 1/2
// note must bind as a user with permission //
add String objectClassValues top,
person, organizationalperson LDAPAttributeSe
t attributeSet new LDAPAttributeSet() attribute
Set.add(new LDAPAttribute(objectclass,
ovjectClassValues) ) attributeSet.add(new
LDAPAttribute(cn, Mark Wilcox )
) attributeSet.add(new LDAPAttribute(sn,
Wilcox ) ) String newDN uid mwilcox, ou
people, o airius.com LDAPEntry entry new
LDAPEntry(newDN, attributeSet) ld.add(entry) //
modify LDAPModificationSet mod new
LDAPModificationSet() LDAPAttribute attribute
new LDAPAttribute(sn, William) mod.add(LDAP
Modification.REPLACE, attribute)
array
87
Example (Program Fragment) 2/2
attribute new LDAPAttribute(mail,
1234_at_yahoo.com) mod.add(LDAPModification.ADD,
attribute) ld.modify(newDN, mod) //delete ld.d
elete(newDN)
88
LDAP Application
89
Available servers

• ??LDAP?? (http//ldap.neto.net)
• Yahoo People Search (http//people.yahoo.com)

Directory services can be used to

• Keep your old friends in contact with you
• Build up personal business address book
• Retrieve corporate information

90
(No Transcript)